Want to improve the security of your ecommerce website?

Learn how

Enabling Threat Hunting and Analysis with the Revamped CrowdSec CTI Report

In our continuous pursuit of enhancing cybersecurity, we’ve encountered challenges in effectively presenting the wealth of information provided by our Cyber Threat Intelligence (CTI) platform. Nonetheless, having a real treasure of information and our only problem being how to present it most effectively is, admittingly, a good problem to have!

While our CTI furnishes valuable insights, ensuring clarity in its display has proven to be a formidable task. Our initial iteration of the CTI web report, though comprehensive, struggled to deliver information in a user-friendly manner, leaving users searching for the most relevant details. Not to mention that our attempt to quantify IP scores on a scale of 5 or 10 inadvertently created more confusion than clarity. Questions surrounding the significance of a score like ⅗ versus ⅘ only compounded the issue —  Should I block it, or should I ignore it? 

Recognizing the need for a more intuitive approach, we embarked on a journey of transparency and refinement! By shifting from numerical scores to descriptive terms, such as Malicious, Suspicious, Known, and Safe, we’ve endeavored to simplify the assessment of IP addresses. This strategic pivot aims to empower users with clearer, more actionable insights, fostering a stronger defense against emerging threats.

Introducing the new CTI layout

Our first goal with the revamped CTI report was to make it clear at first glance if an IP address is malicious or benign. When you search for an IP address in the CrowdSec Console or on the IP Lookup page, the first thing to catch your attention is the IP’s reputation.

Here is an example of an IP with a bad reputation:

__wf_reserved_inherit

Versus a legitimate IP address:

__wf_reserved_inherit

Looking at these representations, I’d assume that there is no doubt in your mind as to which address is the nefarious one! 

But let’s also take a look at the other sets of the information displayed on the report.

Give me the gist of it

In the first line, we gathered all the information essential to assess an IP address.

Crowd Confidence represents the confidence in the information we provide for a given IP address. In the past, this was represented as a score, and we decided to convert it to a string representation also, with these possible values: High, Medium, and Low.

One of the most important metrics displayed on the CTI report is the background noise. For those who already used the CTI before its revamp, the background noise was also a score on a scale of 10 (yes, yet another score…), which we transformed into a score with different levels: High, Low, Medium, and None.

Naturally, you can also see the location of a given IP and the first and last date this IP was seen in our network. 

Finally, we added the behavior — the type of attack performed by a given IP— and the associated Mitre techniques.

Ok, now I want to dive in

Getting high-level information on an IP is not always enough. To assist you with your threat hunting or analysis, you can take a look at the following information sets.

  • IP range and Autonomous System: Know to which organization the IP belongs or, for example, if this IP is hosted in a cloud environment.
  • Reverse DNS: This information can also help you identify the organization to which the IP belongs.
  • IP top classifications: This information helps you profile an IP address. The full list of all the classifications attributed to the IP is at the bottom of the report, but we consider this information important enough to be displayed at the top as well. The list of all the possible classifications is here.

Scrolled a bit further down to find the following collapsable sections.

  • Activity: Represents the IP address’s daily activity over the last three months.
  • Blocklists: This new section displays any blocklists from the CrowdSec blocklist catalog that contain this IP address.
  • Classifications: Previously known as Categories, represent all the classifications attributed to the IP. 
  • Target countries: As in the previous version, this displays the top countries targeted by the IP address (in percentage).
  • Attack details: Contains all the CrowdSec Scenarios or AppSec rules that have been reported by the CrowdSec community for this IP address.

Ways to access the CrowdSec CTI

So far, we’ve seen the new design of the CTI web report, but did you know that there are other ways to consume the CrowdSec CTI?

Indeed, there are several ways to consume the CrowdSec CTI:

curl -H "x-api-key: [API_KEY]" "https://cti.api.crowdsec.net/v2/smoke/[IP_ADDRESS]"

What’s next?

With our revamped CTI report, we aim to empower users to swiftly locate vital information. With a fresh design in place, we’re excited to tease an upcoming enhancement: the CTI search bar will evolve beyond just IP address queries. Get ready to explore the depths of our CTI database like never before. Stay tuned for the unveiling!

Access the Most Advanced Real-World CTI

 

The CrowdSec CTI distributes IP reputation intelligence to help you detect, investigate, and respond to cyber threats more effectively and efficiently.

 Try it now

You may also like

am i under attack
Product Updates

Am I Under Attack: Cut Through the Noise to Detect Sophisticated and Targeted Attacks with CrowdSec’s New feature

Am I Under Attack leverages advanced AI algorithms to detect anomalies in your logs indicating more sophisticated or targeted attacks.

new and advanced ip lookup search
Product Updates

Introducing the New and Advanced IP Lookup Search

In a previous article, we introduced the CTI Report, this time, we are taking it a step further and introducing new and advanced search options for our IP lookup.  You now have access to multiple search options to accurately and effectively explore the CrowdSec CTI.   Let’s take a look. IP lookup search These new search […]

Discover CrowdSec’s Free Third-Party Blocklists
Product Updates

Discover CrowdSec’s Free Third-Party Blocklists

In case you missed it, we recently announced the new Blocklists Catalog in the CrowdSec Console. In the catalog, you can find several blocklists centralized in one place, including third-party blocklists that are free to all users.  All users on the CrowdSec Console can subscribe their Security Engines to third-party blocklists to secure their systems […]